Platform Security Vulnerability Management Lead

About the Role

Fivetran is building data pipelines to power the modern data stack for thousands of companies.

To support building customer trust in our solution, we’re looking for a Platform Security Vulnerability Management Lead to join Fivetran's Security team. In this role you will lead the function of collecting, verifying, and tracking platform security vulnerabilities to remediation.

This work is challenging and diverse as Fivetran is a multi-cloud environment operating on AWS, GCP, and Azure. You will manage a team responsible for selecting security tools to detect issues, establishing processes to handle incoming issue reports, run our vendor-supported penetration testing program, design and manage the analysis and triage process, prioritize issues, and create reports, metrics, and dashboards to motivate the engineering organization to address the findings, ultimately raising our security posture while meeting compliance requirements.

This is a full-time US remote position.

Technologies You'll Use

Bash, Python, JS, BigQuery, Sigma, Looker, Retool, Azure, AWS, GCP, Terraform, Docker, Kubernetes, Github, Buildkite, Sonar, SAST, SCA, DAST, WAF, ASPM, CSP

What You’ll Do

• Coordinate our semi-annual vendor-led pentesting engagement, including verification of results and pursuit of remediation 
• Manage both Cloud Infrastructure and Application Security vulnerabilities from a variety of sources: Internal/External Reports, SAST, SCA, Sonar, DAST, Pentesting, Security Scorecard, CSPM, and Incidents
• Analyze, validate, demonstrate, and adjust severity of vulnerabilities based on actual risk to the organization
• Document guidance to provide clarity about our vulnerability reporting and remediation processes
• Refine the secure coding and secure cloud configuration guidance and standards provided to engineers
• Develop innovative strategies to drive engineering to prioritize fixing issues, from most important to least, while reinforcing best practices in infrastructure, container dependency upgrades and 3rd-party library patching
• Evaluate, select, and manage effective tools for detecting and managing security vulnerabilities
• Take a “hands-on” approach to build automated integrations with security tools, as well as solutions to inventory, monitor, and report on vulnerability process maturity to leadership and other stakeholders
• Assist in shifting the culture toward “security by design” by performing root cause analysis (RCA) on the vulnerabilities and recommending improvements in process and habits to prevent issues from recurring
• Demonstrate satisfaction of internal policy and compliance requirements for SLAs by tracking metrics such as MTTR, vulnerability escape rate, and other SDLC and/or CI/CD pipeline measurements

Skills We’re Looking For

• Experience running third party penetration tests from contracting through remediation of findings
• Experience leading a thriving vulnerability management team and program that includes both Application Security and Cloud Security components
• Strong analytical skills to determine metrics and reports needed to drive action for both the team and the engineering organization
• Ability to conduct root cause analysis against vulnerabilities and determine feasible technical solutions
• Ability to communicate effectively with security and engineering leadership to influence the process and habit changes necessary to address vulnerability findings
• Technical background and ability to write scripts and code to integrate tool APIs with internal ticketing, ASPM/VM, and CI/CD pipeline tools
• Collaborative experience working closely with product teams, SRE/DevOps, and software engineers to drive adoption of security mindset into processes and SDLC habits

Bonus Skills​

• Strong understanding of cloud infrastructure and container vulnerability scanning techniques in multi-cloud environments as well as IaC, containers, CSPM security tools such as Lacework, Trivy, Prisma, Qualys, StackRox, AquaSec, Twistlock.
• Ability to manage and perform triage/validation of Application Security vulnerabilities, including those found in the OWASP Top 10 and the Application Security Verification Standard (ASVS)
• Experience with cloud-native container deployment architecture (Kubernetes, Docker, GKE, EKS, AKS) and IaC automation tools (CloudFormation, Terraform, Ansible, Chef, Puppet or Lambda)

#LI-REMOTE #LI-RS1